Security - Versus

HSM vs TPM vs KMS

• TPM: Trusted Platform Module
  • a chip on a system board on a computer.
  • stores special encoding information and holds the keys that your system needs to encrypt certain data relating to your system.
  • e.g. used for FDE, or Full-Disk Encryption: if your hard drive is cloned and connected to another machine, it will not be readable without the cryptographic data contained on the TPM, making the data useless to anyone but you.
• HSM: Hardware Security Module
  • a standalone piece of hardware: not soldered directly to motherboard, but as a USB device or be mounted to the rack.
• KMS: Key Management System
  • a newer technology than both TPM and HSM.
  • can operate across multiple platforms like cloud and hybrid environments.

SIEM vs SOAR

• SIEM: Security Information and Event Management: provides real-time analysis of security alerts generated by applications and network hardware. Focuses on log management and threat detection.
• SOAR: Security Orchestration, Automation, and Response: Focuses on automating incident response processes. SOAR takes alerts from SIEM and automates the steps to address them. SOAR uses AI and automation to prioritize and respond to security incidents.

SIEM examples:

• use Splunk to collect and analyze logs to detect security issues.
• GCP provides Google Security Operations, formerly Chronicle.

LUKS vs dm-crypt

• LUKS has a header, dm-crypt does not.
  • The header allows multiple different passphrases to be used, with the ability to change and remove them.
  • If the header is lost or corrupted, the device will no longer be decryptable.
  • There are two versions of LUKS, with LUKS2 featuring resilience to header corruption
• The reference implementation for LUKS operates on Linux and is based on an enhanced version of cryptsetup, using dm-crypt as the disk encryption backend.

A common usage of LUKS is to provide full disk encryption, which involves encrypting the root partition of an operating system installation, which protects the operating system files from being tampered with or read by unauthorized parties

Data at rest vs data in transit vs data in use

• data at rest: in storage / database
• data in transit: across network
• data in use: Data during processing, such as when it’s being searched, sorted, or indexed by an application.
  • e.g. GCP confidential computing is to secure data in use. https://cloud.google.com/confidential-computing/docs/confidential-computing-overview

YARA vs TLSH

TLSH and YARA are both used in cybersecurity, but for different purposes. TLSH (Trend Micro Locality Sensitive Hash) is a fuzzy hashing algorithm focused on identifying similarities between files, even with minor modifications. YARA, on the other hand, is a pattern-matching tool that uses rules to identify and classify malware based on specific characteristics like strings, file attributes, and behavior.

More on TLSH:

TLSH is a fuzzy matching program and library. Given a file (min 50 bytes), TLSH generates a hash value which can be used for similarity comparisons. Similar files will have similar hash values which allows for the detection of similar objects by comparing their hash values.

TLSH (Trend Micro Locality Sensitive Hash) is a fuzzy hashing algorithm used for identifying similar files, even if they have been slightly modified. Unlike cryptographic hashes like SHA256, which change drastically with even minor alterations, TLSH is designed to produce similar hash values for files with similar content. This makes it valuable for tasks like malware variant detection, where attackers might slightly alter malicious files to evade signature-based detection.

https://tlsh.org/

Impersonation vs. Delegation

Both delegation and impersonation involve a principal acting under an authority of a different principal.

• Impersonation is the ability for one identity (typically a service account or a privileged user) to assume the complete identity of another. When Service A impersonates User B, for all intents and purposes, Service A is User B and has all the rights and permissions that User B has.
• Delegation is the process where an identity (the user) grants specific, limited permissions to another identity or application to act on its behalf. The application never becomes the user; it simply holds a token that proves it has been granted permission to perform specific actions.